Authentication of users has traditionally been performed based on use of a user name and a password as security credentials. For example, when a user attempts to their account of an account provider (e.g., bank account of a bank), the user (i.e., the account holder) provides the user name and password for their account. The user name is the account identifier of their account, and the password is a shared secret (i.e., shared by the user and the account provider) that is used to verify that the user is authorized to access the account. If the user name matches that of an account of the account provider and the password matches that of the account, then the user is authenticated and allowed access to the account.
The use of a user name and a password for authentication has proved to be less than secure primarily because user names and passwords are susceptible to theft. As one example, a large social network was once hacked and millions of user names and passwords were stolen. As another example, malware that infects computers can install a keystroke logger, which can capture and record user names and passwords as users enter them to log on to their accounts. Of course, once a user name and a password of an account are stolen, the thief can use them to access the user's account.
Once a theft occurs, the thief can often access many accounts of the user because users often use the same user name and password for different accounts. Users use the same user name and passwords, in part, because of the difficulty of remembering different user names and passwords. To further increase security, some account providers have increased the required minimum complexity of passwords. For example, passwords may be required to be at least eight characters long and include a capital letter, a number, and a special character. As the complexity of passwords increases, the difficulty of remembering the passwords also increases. As a result, users are even more inclined to use the same user name and password for different accounts.
To help prevent theft of passwords, some account providers store a hash of a password, rather than storing the password itself. Such account providers may use a one-way hash function that inputs a password and outputs its hash. To authenticate a user, the user provides their password, and the account provider generates the hash of the password. The account provider compares the generated hash to the stored hash, and if they are the same, the user is authenticated. The account provider can then discard the password—so that it cannot be stolen from the account provider. Even if the passwords cannot be stolen from the account providers, passwords are still susceptible to be stolen via a keystroke logger or by malware that searches for files that contain passwords of a user (e.g., a file named “passwords.txt”).
To enhance security, some account providers use multi-factor authentication techniques. For example, when a user enters their user name and password, the account provider may send to the user's telephone a text message with an authentication code and prompt the user to enter the authentication code. Once the user enters the correct authentication code, the user is authenticated. As another example, a user may be provided a token (e.g., a specialized hardware device or a program) that generates codes based on time of day that are synchronized with codes generated by the account provider for that user. To access their account, the user provides their current code along with their user name and password. If the code matches that expected for the account, the user is authenticated. Although multi-factor authentication is much more secure than just single-factor authentication (e.g., user name and password), users still need to remember their complex passwords, which are ideally different for each account.